Persistent cross-site scripting vulnerability detection

ABSTRACT

Various techniques for detecting a persistent cross-site scripting vulnerability are described herein. In one example, a method includes detecting, via the processor, a read operation executed on a resource using an instrumentation mechanism and returning, via the processor, a malicious script in response to the read operation. The method also includes detecting, via the processor, a write operation executed on the resource using the instrumentation mechanism and detecting, via the processor, a script operation executed by the malicious script that results in resource data being sent to an external computing device from a client device. Furthermore, the method includes receiving, via the processor, metadata indicating the execution of the read operation, the write operation, and the script operation.

BACKGROUND OF THE INVENTION

The present invention relates to detecting a vulnerability, and morespecifically, but not exclusively, to detecting a persistent cross-sitescripting vulnerability.

SUMMARY

According to an embodiment described herein, a method for detecting apersistent cross-site scripting vulnerability includes detecting, via aprocessor, a read operation executed on a resource using aninstrumentation mechanism. The method also includes returning, via theprocessor, a malicious script in response to the read operation anddetecting, via the processor, a write operation executed on the resourceusing the instrumentation mechanism. Additionally, the method includesdetecting, via the processor, a script operation that indicates theexecution of the malicious script that results in resource data beingsent to an external computing device from a client. Furthermore, themethod includes receiving, via the processor, metadata indicating theexecution of the read operation, execution of the write operation, andexecution of the script operation.

According to another embodiment, a system for detecting a persistentcross-site scripting vulnerability can include a memory devicecomprising processor executable instructions and a processor to sendinput to an application with a scanner. The processor can also detect aread operation executed on a resource using an instrumentation mechanismand return a malicious script in response to the read operation.Additionally, the processor can detect a write operation executed on theresource using the instrumentation mechanism and detect a scriptoperation that indicates the execution of the malicious script thatresults in resource data being sent to an external computing device.Furthermore, the processor can receive metadata indicating the executionof the read operation, the write operation, and the script operation,and send the metadata to a monitoring module.

According to another embodiment, a computer program product fordetecting a persistent cross-site scripting vulnerability is describedherein, the computer program product comprising a computer readablestorage medium having program code embodied therewith, the program codeexecutable by a processing circuit to perform a method comprisingsending, via the processing circuit, input to an application with ascanner. The program code executable by the processing circuit can alsoperform a method comprising detecting, via the processing circuit, aread operation executed by the application on a resource, returning, viathe processing circuit, a malicious script in response to the readoperation, and detecting, via the processing circuit, a write operationexecuted by the application on the resource. Additionally, the programcode executable by the processing circuit can also perform a methodcomprising detecting, via the processing circuit, a script operationthat indicates the execution of the malicious script that results inresource data being sent to an external computing device, receiving, viathe processing circuit, metadata indicating the execution of the readoperation, the write operation, and the script operation, and sending,via the processing circuit, the metadata to a monitoring module.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an example of a computing device that candetect a persistent cross-site scripting vulnerability;

FIG. 2 is a process flow diagram of an example method that can detect apersistent cross-site scripting vulnerability;

FIG. 3 is a tangible, computer-readable storage medium that can detect apersistent cross-site scripting vulnerability;

FIG. 4 is a block diagram of an example for detecting a persistentcross-site scripting vulnerability using techniques described herein;and

FIG. 5 is a block diagram of an example for detecting a persistentcross-site scripting vulnerability using techniques described herein.

DETAILED DESCRIPTION

According to embodiments of the present disclosure, a computing devicecan detect a persistent cross-site scripting vulnerability. A persistentcross-site scripting vulnerability, as referred to herein, can includeany flaw in any suitable application that enables the injection orinsertion of a client-side script into data viewed by other users. Forexample, a persistent cross-site scripting vulnerability can exist in aweb application that allows a client-side script to be inserted into aweb page viewable by other users. In some examples, the client-sidescript can be inserted into a web application through any suitable textbox, or other user interface, among others. A client-side script, asreferred to herein, can include any suitable script in any suitablescripting language that can be executed on a client such as a webbrowser, or web application, among others.

In some examples, the client-side scripting vulnerability can bepersistent or non-persistent. In persistent client-side scriptingvulnerabilities, a client-side script can be displayed continuouslythrough a website or web browser to any number of users when data issaved by a server. For example, a persistent client-side scriptingvulnerability can include enabling users to post HTML formatted messageson a web page and allowing other users to view the HTML formattedmessages. In a non-persistent client-side scripting vulnerability, aclient-side script may be injected or inserted into a web client throughsearch engines, among others. For example, the text of a search enteredinto a search engine may include control characters that enable a scriptto be injected into a web client or web browser.

In some examples, a client-side script may not be executed for anextended period of time. Accordingly, testing an application todetermine if a persistent cross-site scripting vulnerability exists cantake an unknown period of time to complete. The techniques describedherein can minimize the period of time for testing a web client orapplication for a persistent cross-site scripting vulnerability and alsodetermine resources that are susceptible to a persistent cross-sitescripting vulnerability.

FIG. 1 is an example of a computing device that can detect a persistentcross-site scripting vulnerability. The computing device 100 may be, forexample, a desktop computer, laptop computer, tablet computer, orsmartphone. The computing device 100 may include a processor 102 that isadapted to execute stored instructions, a memory device 104 that canstore said instructions. The processor can be a single-core processor,multi-core processor, computing cluster, or any number of otherconfigurations. The memory 104 can include random access memory (RAM),read only memory, flash memory, or any other suitable memory systems.The instructions executed by the processor 102 may be used to implementa method that can detect a persistent cross-site scriptingvulnerability.

The processor 102 may be connected through a system interconnect 106(e.g., PCI®, PCI-Express®, etc.) to an input/output (I/O) deviceinterface 108 adapted to connect the computing device 100 to one or moreI/O devices 110. The I/O devices 110 may include, for example, akeyboard and a pointing device, wherein the pointing device may includea touchpad or a touchscreen, among others. The I/O devices 110 may bebuilt-in components of the computing device 100, or may be devices thatare externally connected to the computing device 100.

The processor 102 may also be linked through the system interconnect 106to a display interface 112 adapted to connect the computing device 100to a display device 114. The display device 114 may include a displayscreen that is a built-in component of the computing device 100. Thedisplay device 114 may also include a computer monitor, television, orprojector, among others, that is externally connected to the computingdevice 100. In addition, a network interface controller (also referredto herein as a NIC) 116 may be adapted to connect the computing device100 through the system interconnect 106 to a network 118. In someembodiments, the NIC 116 can transmit data using any suitable interfaceor protocol, such as the internet small computer system interface, amongothers. The network 118 may be a cellular network, a radio network, awide area network (WAN), a local area network (LAN), or the Internet,among others. An external computing device 120, such as a client device,may connect to the computing device 100 through the network 118. Theexternal computing device 120 is described in greater detail below.

The processor 102 may also be linked through the system interconnect 106to a storage device 122 that can include a hard drive, an optical drive,a USB flash drive, an array of drives, or any combinations thereof. Insome examples, the storage device 122 can include a scanner module 124,an instrumentation agent 126, and an application 128. In someembodiments, the scanner module 124 can generate any suitable input thatis provided to an application 128. The input can include any number ofalphanumeric characters, among other characters, that simulate usergenerated input. The scanner 124 can also include the capability ofinjecting client-side scripts in the input. In some embodiments, thescanner module 124 can send the generated input to the application 128.

In some examples, an application 128, as referred to herein, can includeany suitable web application, an application that is executed by a webbrowser, or an application rendered by a web browser, among others. Forexample, an application 128 may include any suitable web browser thatcan detect input and display information in response to the input. Insome examples, an application 128 may implement a search engine, or aweb forum, among others.

In some embodiments, the instrumentation agent 126 can monitor functioncalls, such as read operations, and write operations, among others,executed by the application 128 on a resource to determine if avulnerability exists within the application 128. A resource as referredto herein can include any data which an application can write to, readfrom, or include in operations. For example, a resource can include adatabase cell, a log entry, pictures, or text files, among others. Aresource may be stored on the same computing device 100 as theapplication 128 or the resource may be stored on another computingdevice. In some embodiments, the instrumentation agent 126 can monitorfunction calls executed by the application 128 on a resource to detectif a read operation, a write operation, or a script operation isexecuted by the application 128. For example, the instrumentation agent126 can monitor a resource accessible by the application 128 anddetermine if the application 128 executes a read operation on aresource, writes to the resource through a write operation, or if amalicious script returned to the application 128 is sent to additionalapplications or computing devices through a script operation. In someembodiments, the instrumentation agent 126 can detect a read operationfrom the application 128 on a resource and return a client-side scriptrather than returning data from the resource. The instrumentation agent126 can also enumerate a resource by assigning an identifier to eachaccessed resource and include the enumerated resource identifier, alongwith call stack information, in a malicious client-side script.

In some embodiments, the instrumentation agent 126 can also detectmetadata from the application 128 that indicates information such aswhether a read operation, write operation, or script operation has beenexecuted, or call stack data, among others. The call stack data caninclude state information for the application 128 such as pointervalues, parameter values, and return addresses, and the like. Theinstrumentation agent 126 can send the metadata to any suitableapplication, hardware component, external computing device, or operatingsystem, among others.

In some embodiments, the external computing device 120 can provideinformation to the computing device 100 to indicate that a scriptoperation has been executed by the malicious script. For example, themalicious script may be executed on an external computing device 120,which results in the execution of the script operation that sends dataabout a resource to the instrumentation agent 126. In some examples, themalicious script sends data about a resource from an external computingdevice 120 to the instrumentation agent 126 through a separate computingdevice (also referred to herein as a validation server). The externalcomputing device 120 may also send any suitable metadata or call stackdata to the instrumentation agent 126, which can assist in determiningthe source of the vulnerability in the application 128. For example, thecall stack data can include a sequence of function calls that result inread and write operations executed by the application 128 on a resource.

It is to be understood that the block diagram of FIG. 1 is not intendedto indicate that the computing device 100 is to include all of thecomponents shown in FIG. 1. Rather, the computing device 100 can includefewer or additional components not illustrated in FIG. 1 (e.g.,additional memory components, embedded controllers, additional modules,additional network interfaces, etc.). Furthermore, any of thefunctionalities of the scanner module 124, or the instrumentation agent126, may be partially, or entirely, implemented in hardware and/or inthe processor 102. For example, the functionality may be implementedwith an application specific integrated circuit, or in logic implementedin the processor 102, among others.

FIG. 2 is an example of a method that can detect a persistent cross-sitescripting vulnerability. The method 200 can be implemented with anysuitable computing device, such as the computing device 100 of FIG. 1.

At block 202, the scanner module 124 can send, via a processor, input toan application. The input can include any suitable number ofalphanumeric or control characters, among others, that can be entered inany suitable text box, or any additional user input section of anapplication. The application can include any suitable web application,an application that is executed by a web browser, or an applicationrendered by a web browser, among others. In some embodiments, thescanner module 124 can generate input based on simulated userinteraction with an application. In some examples, the scanner module124 can send input to an application that results in the applicationreading data from a resource or writing data to a resource.

At block 204, the instrumentation agent 126 can detect, via theprocessor, that a read operation is executed on a resource using aninstrumentation mechanism. A resource can include any data which anapplication can write to, read from, or execute. For example, a resourcecan include a database cell, a log entry, pictures, or text files, amongothers. In some embodiments, the instrumentation agent 126 can detectthat a read operation is executed on a resource using an instrumentationmechanism. An instrumentation mechanism, as referred to herein, enablesthe monitoring or hooking of function calls on a resource by anapplication. For example, an instrumentation mechanism may enable aninstrumentation agent 126 to monitor or hook onto a read function on aresource and the instrumentation agent 126 can modify a read bit inmetadata to indicate the execution of the read operation. Monitoring orhooking function calls enables the instrumentation agent 126 to detectwhen a function call attempts to access a resource. For example, theinstrumentation agent 126 may detect when a resource is accessed by anapplication. In some embodiments, the instrumentation agent 126 can alsomonitor call stack data and return the call stack data as metadata whenthe resource is accessed.

At block 205, the instrumentation agent 126 can return, via a processor,a malicious script in response to the read operation. A maliciousscript, as referred to herein, can include any suitable script,programming code, or any suitable text, that can read data, modify data,or retrieve data without permission. In some examples, theinstrumentation agent 126 returns a malicious script in response to adetected function call. For example, the instrumentation agent 126 mayreturn a malicious script to determine if an application will remove orsanitize the malicious script from the returned data.

At block 206, the instrumentation agent 126 can detect, via theprocessor, that a write operation is executed on the resource using aninstrumentation mechanism. For example, the instrumentation agent 126may detect when an application executes a function call that results inwriting or storing data to a resource. In some embodiments, theinstrumentation agent 126 can detect if an application sanitizes inputthat includes malicious scripts. For example, an application cansanitize the malicious script included in input by removing any controlcharacters or operations from the malicious script that may read to,write from, or otherwise access data stored in a resource. In someembodiments, the instrumentation agent 126 can modify a write bit inmetadata if the write operation is executed without alteration. Thewrite bit in the metadata can indicate that a resource is writable, thata write function call is issued by an application, and that unsanitizeddata is written to a resource by the application. Unsanitized data, asreferred to herein, can include any data received as input by anapplication for which the application does not remove control charactersbefore writing the input to a resource.

In some embodiments, the instrumentation agent 126 can detect and storecall stack information and test information when a write operation isexecuted by an application. The call stack information can include anysuitable data that indicates the state of the application at the time ofthe execution of the write operation. For example, the call stackinformation may include any suitable number of variables, variablevalues, and states of functions, among others. The test information caninclude any suitable data that indicates the resource that is altered bythe write operation and a test signature associated with the applicationthat executed a write operation. In some examples, the test signaturecan include any suitable string of alphanumeric characters.

At block 208, the instrumentation agent 126 can detect, via theprocessor, a script operation that indicates the execution of themalicious script that results in resource data being sent to an externalcomputing device from a client. Resource data, as referred to herein,can include any suitable data related to a resource such as data fromthe resource, data indicating a location of the resource, an enumeratedresource identifier, if a write function call was detected before a readfunction call, a test identifier that caused an application to write toa resource, a call stack of an application, or data indicating aproperty of the resource, among others. In some embodiments, a maliciousscript can be executed on a client device, which can result in theexecution of a script operation that sends resource data to an externalcomputing device. A script operation, as referred to herein, can includeany suitable function call executed by a client-side script that sendsdata to another computing device. In some embodiments, theinstrumentation agent 126 can detect when a script operation has beenexecuted on a client device by detecting data from the client device. Insome examples, an external computing device can send any suitablemetadata to the instrumentation agent 126 indicating that a scriptoperation has been executed by a malicious script and resource data hasbeen sent to an external computing device. In some embodiments, theinstrumentation agent 126 can modify a script bit in metadata inresponse to detecting that a script operation has been executed by amalicious script. For example, the instrumentation agent 126 may detectwhen an external computing device executes the malicious script becausethe execution of the malicious script may result in data about aresource being sent to the instrumentation agent 126. Theinstrumentation agent 126 may also receive data from a script operationfrom a validation server, or additional computing device, that receivesdata directly from a client device on which the malicious script isexecuted.

At block 210, the instrumentation agent 126 can receive, via theprocessor, metadata indicating the execution of the read operation, thewrite operation, and the script operation by the malicious script. Asdiscussed above, the metadata can include a read bit, a write bit, and ascript bit that indicate, respectively, if a read operation, writeoperation, or script operation has been executed. The metadata can alsoinclude the call stack data or test information at the time of executionof a read operation, write operation, or script operation. In someembodiments, the instrumentation agent 126 can generate and send awarning or indication to a monitoring module that an application has aclient-side scripting vulnerability based on the metadata. For example,if metadata indicates that a read operation, write operation, and scriptoperation have been executed, the instrumentation agent 126 can send themetadata to a monitoring module. In some examples, the monitoring modulecan be implemented by an operating system, an application, or codeexecuted in a hardware device, among others. The monitoring module cananalyze the metadata to determine information regarding the identifiedvulnerability such as time of execution, among others.

In some embodiments, the monitoring module can indicate resources thatare susceptible to a blind persistent cross-site scriptingvulnerability. A blind persistent cross-site scripting vulnerability caninclude a flaw in which an application stores a malicious script in aresource, but the creator of the malicious script cannot determine whenor where the malicious script is executed. In some embodiments, amalicious script may use a blind cross-site validation server toidentify the data received from execution of a malicious script. Forexample, a malicious script may send resource data, or any othersuitable data, to a blind cross-site validation server, which indicatesthat the malicious script has been executed. The metadata from theinstrumentation agent 126 can expedite the identification of a blindcross-site vulnerability by indicating that a malicious script hasexecuted a read operation, a write operation, and a script operation, orany combination thereof. In some examples, the instrumentation agent 126can perform any of the operations of the monitoring module.

The process flow diagram of FIG. 2 is not intended to indicate that theoperations of the method 200 are to be executed in any particular order,or that all of the operations of the method 200 are to be included inevery case. Additionally, the method 200 can include any suitable numberof additional operations. In some embodiments, the instrumentation agent126 can detect a read operation once a write operation has beendetected. For example, the instrumentation agent 126 may detect a writeoperation that alters the values stored in a resource. In response todetecting the write operation, the instrumentation agent 126 may monitorthe resource to determine if a read operation accesses the resource.Additionally, the instrumentation agent 126 may also detect a readoperation and send a malicious script to an application rather than thedata requested from the read operation. In some embodiments, theinstrumentation agent 126 can also enumerate a resource by assigning anidentifier to the resource. In some examples, when the maliciousclient-side script is executed by a client device, the client-sidescript sends resource data such as the enumerated resource identifier,and call stack, among others to the instrumentation agent 126 through avalidation server.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

Referring now to FIG. 3, a block diagram is depicted of an example of atangible, computer-readable storage medium that can detect a persistentcross-site scripting vulnerability. The computer-readable storage medium300 may be accessed by a processor 302 over a computer interconnect 304.Furthermore, the computer-readable storage medium 300 may include codeto direct the processor 302 to perform the operations of the currentmethod.

The various software components discussed herein may be stored on thecomputer-readable storage medium 300, as indicated in FIG. 3. Forexample, a scanner module 306 may generate any suitable input that isprovided to an application. The scanner 306 may, in some examples,include a client-side script in the input. In some embodiments, aninstrumentation agent module 308 may monitor an application to determineif a vulnerability exists within the application. For example, theinstrumentation agent module 308 may detect that an application executesa read operation, a write operation, or a script operation from aclient-side script included in the input from the scanner 306. In someembodiments, the instrumentation agent module 308 can retrieve metadataindicating the vulnerability of the application. It is to be understoodthat any number of additional software components not shown in FIG. 3may be included within the computer-readable storage medium 300,depending on the specific application.

FIG. 4 is a block diagram of an example technique for detecting apersistent cross-site scripting vulnerability. The persistent cross-sitescripting vulnerability can be detected with a black box tester 402, aweb server 404, a validation server 406, and resources 408. In someembodiments, the web server 404 can include a glassbox agent 410 and aweb application 412, which can include a support portal 414 and a userportal 416. In some examples, the black box tester 402 can beimplemented with the scanner module 124 of FIG. 1, the validation server406 can be implemented with the external computing device 120 of FIG. 1,the web server 404 can be implemented with the computing device 100 ofFIG. 1, the glassbox agent 410 can be implemented with theinstrumentation agent 126 of FIG. 1, and the web application 412 can beimplemented with the application 128 of FIG. 1. Additionally, in someexamples, the black box tester 402 can be implemented by the web server404. Furthermore, the resources 408 can include any suitable data fromdatabase cells 418 and 420, log entries, or text files, among others.

In some embodiments, the black box tester 402 can interact (indicated bythe circled 1) with the web application 412 so that the web application412 executes read operations on the resources 408. For example, theblack box tester 402 can provide input to the web application 412 thatsimulates user input through a user portal 416, which requests datastored in resources 408. In some embodiments, the glassbox agent 410 canmonitor or hook onto read function calls on the resources 408 by the webapplication 412 and the glassbox agent 410 can return (as indicated bythe circled 2) a malicious client-side script rather than the data fromthe resources 408. In some examples, the glassbox agent 410 enumeratesthe resource and marks the resource as readable by storing a value as aread bit.

In some embodiments, the web application 412 returns the maliciousclient-side script to the black box tester 402 in place of the data fromthe resource 408. When executed, the script can cause an alert to besent (indicated by the circled number 3) from the black box tester 402to the validation server 406. The alert indicates that the webapplication 412 does not sanitize data returned from the resources 408in response to a read operation. Accordingly, scripts stored in theresources 408 can be executed by clients who request the resources. Insome embodiments, the validation server 406 can send (indicated by thecircled number 4) the alert to the glassbox agent 410, which can store avalue as a script bit that indicates the execution of a script by theblack box tester 402.

Additionally, the black box tester 402 can send (indicated by thecircled 5) input to the web application 412 that results in a writeoperation to the resources 408. For example, the black box tester 402can send data and/or client-side scripts through a text box in the webapplication 412, wherein the data and/or client-side scripts are storedin the resources 408 by the web application 412. The glassbox agent 410can monitor function calls on the resources 408 to detect that the webapplication 412 is attempting to store a client-side script in theresources 408 and the glassbox agent 410 can store a value as a writebit indicating that the web application 412 failed to sanitize a writeoperation. For example, a web application 412 can sanitize a writeoperation by preventing a client-side script received from the black boxtester 402 from being stored in the resources 408.

It is to be understood that the block diagram of FIG. 4 is not intendedto indicate that the web server 404 is to include all of the componentsshown in FIG. 4. Rather, the web server 404 can include fewer oradditional components not illustrated in FIG. 4 (e.g., any number ofblack box testers 402, embedded controllers, additional modules,additional network interfaces, etc.). Furthermore, the operationsillustrated in FIG. 4 can be executed in any particular order.

FIG. 5 is a block diagram of an example technique for detecting apersistent cross-site scripting vulnerability. The persistent cross-sitescripting vulnerability can be detected with black box testers 502 and503, a web server 504, a validation server 506, and resources 508. Insome embodiments, the web server 504 can include a glassbox agent 510and a web application 512, which can include a support portal 514 and auser portal 516. The support portal 514 may be accessible by a supportteam, while the user portal 516 may be accessible by any user. In someexamples, the black box tester 502 can be implemented with the scannermodule 124 of FIG. 1, the validation server 506 can be implemented withthe external computing device 120 of FIG. 1, the web server 504 can beimplemented with the computing device 100 of FIG. 1, the glassbox agent510 can be implemented with the instrumentation agent 126 of FIG. 1, andthe web application 512 can be implemented with the application 128 ofFIG. 1. Additionally, in some examples, the black box testers 502 and503 can be implemented by the web server 504. Furthermore, the resources508 can include any suitable data from database cells 518 and 520, logentries, or text files, among others.

In some embodiments, a black box tester 502 can send (indicated by thecircled 1) input to the web application 504 that results in the webapplication 504 writing data to a database cell 518 or 520 in theresources 508. The glassbox agent 510 can monitor (indicated by thecircled 2) the operations performed on the database cell 518 or 520,enumerate database cell 518 or 520, and store a value as a write bitwhen database cell 518 or 520 is written to. In some embodiments, theblack box tester 503 can cause (indicated by the circled number 3) theweb application 512 to read data from database cell 518 or 520. Forexample, the black box tester 503 can retrieve data sent by the blackbox tester 502 and stored in database cell 518 or 520. In someembodiments, a web application 512 can sanitize a write operation bypreventing a client-side script received from the black box tester 502from being stored or written to database cells 518 or 520. For example,the web application 512 can detect a client-side script in inputreceived from the black box tester 502 and the web application 512 canoutput obfuscated data that cannot be executed as the client-sidescript.

In some embodiments, the glassbox agent 510 can monitor or hook ontoread function calls on the database cells 518 or 520 by the webapplication 512 and the glassbox agent 510 can return (as indicated bythe circled 4) a malicious client-side script to the black box tester503 rather than the data from the database cells 518 or 520. In someexamples, the glassbox agent 510 enumerates the resource and marks theresource as readable by storing a value as a read bit.

In some embodiments, the black box tester 503 executes the scriptreturned by the glassbox agent 510 in place of the data from theresource 508. When executed, the script can cause an alert to be sent(indicated by the circled number 5) from the black box tester 503 to thevalidation server 506. The alert indicates that the web application 512does not sanitize data returned from the resources 508. Accordingly,scripts stored in the resources 508 can be returned and executed byclients, such as black box tester 503. In some embodiments, thevalidation server 506 can send (indicated by the circled number 6) thealert to the glassbox agent 510, which can store a value as a script bitthat indicates the execution of a script by the black box tester 503.

It is to be understood that the block diagram of FIG. 5 is not intendedto indicate that the web server 504 is to include all of the componentsshown in FIG. 5. Rather, the web server 504 can include fewer oradditional components not illustrated in FIG. 5 (e.g., additional blackbox testers 502 and 503, embedded controllers, additional modules,additional network interfaces, etc.). Furthermore, the operationsillustrated in FIG. 5 can be executed in any particular order.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

What is claimed is:
 1. A method for detecting a persistent cross-sitescripting vulnerability comprising: inserting, via a processor, aclient-side script as input into a web application; requesting, via theprocessor, data from the web application; in response to requesting thedata, detecting that resource is sent from a client device to anexternal computing device in response to execution of the client-sidescript on the client device, wherein the external computing device is adifferent device than the client device; receiving at the externalcomputing device, the inserted client-side script in response torequesting data from the web application; receiving from the externalcomputing device, the inserted client-side script, in response toreceiving the client-side script at the external computing device;detecting, via the processor, that the client-side script issubsequently returned unaltered via the data request by comparing theinserted client-side script with the received client side script, andthat execution of the client-side script occurs.
 2. The method of claim1, further comprising: monitoring function calls to one or moreresources to detect a write operation attempting to store the inputtedclient-side script on a resource without alteration.
 3. The method ofclaim 1, wherein the inserted input simulates user interaction with theweb application.
 4. The method of claim 1, further comprising,responsive to detecting that execution of the client-side scriptoccurred, creating an indicator of a cross-site scripting vulnerabilityfound in the web application.
 5. The method of claim 1, wherein theinserted client-side script contains instructions to send an alert whenexecuted.
 6. The method of claim 5, wherein detecting whether executionof the client-side script occurs comprises receiving the alert.